Summary
Numerous articles have been published on the risk management lessons learned from the current credit crunch. The common thread is that the mistakes this time are more or less the same as prior to any other crisis; disregard for rare events, to much concentration and what seems more apparent now: lack of understanding of the new and complex breed of financial derivative instruments and markets. The discussion has focused on the larger players in the market, but what is the lesson for the smaller?
Analysis
It is common knowledge that when crisis hit, risk management models and procedures tend to brake down. This stems e.g. from the fact that most methods and procedures employed build on recent historical behavior of markets and instruments, which usually is not that representative for the future when crisis hit. This time around the situation seems to be further compounded by the complexity of the instruments and markets, e.g. the cds/cdo/cmo/clo markets, where most market participants relied on external valuations and risk assessments that later proved faulty at best.
The discussion until now has focused mostly on the larger players and market makers that have large risk management departments and the resources to employ advanced models and procedures to manage risk (and still didn't do all that well). But what about the small and medium sized companies and investors? What are the lessons they should take to hart and how should they react? Is it for example necessary for these smaller players to employ (or subscribe to) extremely advanced systems and models to avoid disasters like the one we are living?
The answer to the last question is probably no, apart from the fact that such solutions would most likely be to costly and resource intensive. The more important thing to realize is that before the more sophisticated models and methods provide value, the foundations for solid risk management must be in place. This includes such things as:
- Having a documented risk policy
- Monitoring all the basic types of risk and not just market risk (not forgetting e.g. liquidity risk, counterparty risk, legal risk, operational risk etc.)
- A policy to only invest in instruments that can be adequately understood (and monitored)
- Simple, efficient and timely reporting of risk
- Predefined action plans in case of disaster
- A risk policy/monitoring that can be supported with the available resources (human and systems)
It is a well established rule of thumb for surprisingly many situations that around 80% of effects will be caused by around 20% of causes (Pareto's 80/20 rule). This is most likely also the situation with risk management in the average small and mid sized company, i.e. that they could capture around 80% of the risk's they are missing today by addressing the first 20% easy to fix issues with their risk management.
As larger companies have had difficulties in adequately managing the last 20% of their risks it is unrealistic to expect small and mid sized companies, with less resources, to do any better. Many have even suggested that avoiding these infrequent, ill to manage, risks is more of an art than science. This highlights however what is probably the most important factor in the risk management of any company and especially the smaller ones: The quality of the person in charge of risk.
In short, a reasonable action plan for the average small to mid sized company could be laid out as follows:
- Get the (simple) foundations for risk management right
- Make sure that risk management works in tandem with (and supports) other activities
- Allocate enough resources to support the planned risk management
- And hire an experienced, highly qualified, head of risk
Only when this is done is money spent on complicated modeling and procedures, money well spent.
This author consults with leading institutions through GLG
Analyses are solely the work of the authors and have not been edited or endorsed by GLG.
